JPS63176043A - Secret information communicating system - Google Patents

Abstract

PURPOSE:To attain simultaneous communication of identification secret data and secret information by using a parameter with less processing quantity as an open key in using an open key cryptography and using a verification secret data and a one-way function arithmetic unit to verify the adequacy at the secret information communication. CONSTITUTION:In the secret information communication using a digital signature, the verification open data by a 1-way function arithmetic unit 20 is calculated at the sender side, the cryptographic open key, decoding by the cryptographic key and the verification open data by the one-way function arithmetic unit 20 at the reception side are executed to verify the adequacy of the secret information. That is, the cryptographic processing by the open key is enough at the sender side and a value decreasing the quantity of cryptographic calculation is used to relieve the load of calculation by the sender. Moreover, in the 1-way function, it is easy to calculate a function f(theta) from a parameter theta but it is very difficult to calculate the parameter theta from the function f(theta) conversely because the quantity of calculation is very large.

Description

Detailed Description of the Invention "Field of Industrial Application" The present invention relates to a method of communicating secret information using encryption between two communication devices that communicate via a communication line, and in particular, The present invention relates to a secret information communication method suitable for application to communication between communication devices having a large difference in processing capacity, such as between a terminal device and a center.

Note that the communication device in this specification refers to a device with a communication function, such as a terminal device, a communication processing device, a communication control device, a switch, and a computer.Hereafter, for simplicity, it will be referred to as a node. Sometimes called.

``Prior Art'' In order to safely communicate confidential information between nodes, communication using encryption is effective. The content of the secret information is arbitrary; for example, a secret document, an encryption key shared between nodes,
For example, a password.

It is known that cryptography includes conventional cryptography and public key cryptography. These cryptographic methods will be explained below. In the following explanation, "encryption key" is simply referred to as "
Sometimes called a "key".

(1) Conventional ciphers In conventional ciphers, the encryption key and decryption key are the same,
Each key is a secret cryptographic method. Here, a general method of describing the operation of a conventional cryptographic device (that is, a cryptographic device using a conventional cryptographic device) will be described. By @ cryptography, any data X can be converted into l! The value encrypted using K is E(
K;
Let D(K,Y) be the value decoded using
1). In other words, i! The original data X can be obtained by decrypting the data encrypted by K using the same key K.

For example, D
ES encryption (“Data Encryption”)
Standard'', Federal I
nformationProcessingSt
andards Publication 46.
U.S.A. (1977)), and the FEAL cipher (
Shimizu et al.: “High-speed data encryption algorithm PEAL”
, IEICE Technical Report, (Information Theory), Vol. 80
．． No, l13, IT86-33, pp, 16, (1
There are cryptographic algorithms such as 986)).

Conventional cryptography can perform encryption and decryption quickly, but it is difficult to deliver the encryption key.

(2) Public key cryptographyPublic key cryptography differs in that it uses a pair of public keys and private keys.
It is a type of encryption in which the public key is made public and only the private key is kept secret. Here, the public key is an encryption key, and the private key is a decryption key.

RSA encryption is the current representative public key encryption.
(For example, R1vest, R, E, et al,
“AMethod for Obtaining D
1g1tal S ignature and Pu
blic-Key Cryptosystems”,
Communications of the A
CM, Vol, 21. No, 2. pp, 120-126
(see ゜ (1978)). The RSA encryption will be explained below.

First, the description method will be explained.

When A, B, and L are arbitrary integers, the remainder of B modulo L is A, as A=B (mod
It is expressed as L)・−・(2). At this time, 0≦A<L. Also, when A1B1 and L are arbitrary integers, the integers A and B are congruent modulo the value, A =
It is expressed as B (mod L)...-(3). Furthermore, the remainder A'' (mod N) of A to the B power, where N is an arbitrary integer and the modulus is N, is expressed as E X P (A,
B) Represented as (mod N)--(4). Finally, the integer parameters of the RSA cipher, namely the plaintext M
1 ciphertext 01 public key e1 private key d1 public modulus value is N, then C=EXP(M, e)(nod N)
--(5) M=EXP(C,d)(mod N)-
−(6). Here, 0≦M<N O≦C<'N N=p°q c c D (d, (p-1)・(q-1))=1e
-d=I (mod LCM(p-1, qN)...
...(7) where p and q are different integers. GCD() and LC
M( ) represents the greatest common divisor and least common multiple of the two integers in parentheses, respectively.

According to this public key cryptography, the original plaintext M can be reproduced by encrypting and sending out the message using equation (5) on the sending side, receiving it on the receiving side, and decrypting it using equation (6). Can be done.

The R9A encryption calculation method and the R9A encryption parameter generation method are described, for example, in the above-mentioned paper by R1vest et al. Further, the R9A cryptographic device and the RSA cryptographic parameter generation device used in this calculation can be realized by hardware or a combination of hardware and software. Note that there is a known method for speeding up the decryption process by calculating using the prime numbers that make up the modulus value N (for example, "Modern Cryptography Theory" by Baka Ikeno, Communication Society (1986), pp. 1
17-119).

The R9A encryption requires a large amount of calculation for encryption and decryption, and has the disadvantage of slow processing speed. In other words, in RSA encryption, the cipher can be decrypted by decomposing the modulus value N, which is one parameter of the public information, into prime factors, so the modulus value N
is two large prime numbers (e.g., about 100 in decimal)
It is necessary to make it a product of (prime numbers of digits). Therefore, the modulus value N
is a large integer (for example, an integer of about 200 digits in lO base), and the processing time for encryption and decryption becomes long. Other public key cryptosystems such as Rabin cryptography (e.g., Rabin, M, O, "D1g1taliz
ed S ignature and Publi
c-Key functions as I
ntaractableas F actoriza
tion", MIT/LCS/TR-2
12 (1979)) is similar.

However, in both RSA encryption and Rabin encryption, if parameters are appropriately selected, the processing time for encryption can be made shorter than the processing time for decryption.

When communicating confidential information using such cryptography,
The node on the receiving side of the secret information needs to authenticate the validity of the secret information (that is, the legitimacy of the sender of the secret information and that the secret information has not been tampered with). As a method for authenticating the validity of secret information, a method using a digital signature of public key cryptography is known.

For example, when a digital signature of public key cryptography is used as an authentication function necessary for secret information communication, it is as follows. Let communication party A's public key be PKa and private key SKa,
The public key of correspondent B is PKb.

Let the private key be SKb. In the transmission of secret information S from communicator A to communicator B, communicator A transmits communicator A's secret 1!
S K a decrypts the secret information S together with the public identifier of correspondent A, and further decrypts the data with correspondent B's public key PK.
b, and send it to correspondent B as a message. Correspondent B transfers the received message to correspondent B's private key SKb.
The data decrypted by
to obtain the secret information S. The validity of the secret information S is that the public identifier obtained with the secret information S is
is equal to the identifier of correspondent A obtained in advance.

"Problems to be Solved by the Invention" By the way, the above-mentioned conventional cryptographic processing technology has the following problems.

In other words, in secret information communication using public key cryptographic digital signatures, each node must perform encryption and decryption calculations before obtaining the secret information, which increases the amount of calculations and slows down the processing speed. There is.

The present invention was made against this background, and its objects are as follows.

■In communication of secret information between multiple nodes, public σ
When a-key encryption is used, a parameter with a small amount of processing is used as the public key, thereby reducing the amount of calculation for encryption processing in the public key encryption device of one of the communication devices.

This allows, for example, a center (i.e., a computer) where two communication devices are interconnected by a communication line.
To provide a secret information communication method that can be applied relatively easily even when the terminal device is a terminal device.

■ Authentication of the validity of secret information during secret information communication is performed using secret authentication data and a one-way function calculation device, making it possible to communicate the secret authentication data and secret information all at once. shall be.

"Means for Solving the Problems" In order to solve the above problems, the present invention provides communication between first and second communication devices, each of which has a public key cryptographic device and a one-way function calculation device. , a secret information communication system for communicating secret information, is characterized by having the following steps [1] to [4].

■The first communication device generates authentication secret data for authenticating the validity of the second communication device or the first communication device, and authenticates using the one-way function calculation device from this authentication secret data. a first step of calculating and publishing public data for authentication, ■ a second process of holding the public data for authentication sent from the first communication device in the second communication device, ■ first communication A third step in which the device encrypts the secret information and authentication secret data with a public key cryptographic device and transmits the ciphertext to the second communication device; ■ The second communication device encrypts the received ciphertext; A first communication that is decrypted by a public key cryptographic device to obtain secret information and authentication secret data, and that already holds output data obtained by manually inputting the authentication secret data to a one-way function calculation device. A fourth step of comparing the information with public authentication data of the device and, if they match, authenticating that the information is the secret information transmitted from the first communication device and obtaining the secret information.

1. Effect" According to the above means, on the transmitting side, by inputting secret authentication data to the one-way function calculation device, public authentication data is created and made public.

Furthermore, the secret authentication data is encrypted together with the secret information using the public key, and the encrypted data is sent to the sending side.

On the other hand, on the receiving side, the sent data is decrypted using the secret key to obtain secret information and authentication secret data.

In addition, the obtained authentication secret data is input into a one-way function calculation device to create authentication public data, and this is compared with previously held authentication public data. If these two pieces of public authentication data match, the validity of the obtained secret information is authenticated.

That is, in confidential information communication using a digital signature according to the present invention, on the sending side, public data for authentication is calculated by a one-way functional calculation device and encrypted using a public key, and on the receiving side, decryption is performed using a private key. The validity of the secret information can be authenticated by calculating the public data for authentication using the one-way function calculation device.

In other words, on the sending side, all that is required is encryption using the public key.
There is no need to decrypt with your own private key and encrypt with the other party's public key, as in the past. Therefore, by using a value that makes the encryption computer smaller (for example, a small value public m>) as the public key, the calculation burden on the sender can be reduced. It is suitable for sending secret information from a small device to a device with large processing capacity, such as a center.

Note that a one-way function is defined as a function value r(
It is easy to calculate the function value f(θ), but conversely, the function value f(θ
) is an extremely difficult function because it requires a large amount of calculation.

The secret information communication method according to the present invention can be applied to, for example, communication between two nodes and communication between one node and two or more nodes. Further, the physical configuration of the communication network (eg, dedicated line, switched line, private network, etc.), communication network interface, and communication protocol used in applying the present invention can be arbitrarily selected.

"Embodiment" Hereinafter, an embodiment of the present invention will be described with reference to the drawings. Hereinafter, the identification names of the nodes in the communication system (that is, the nodes and the communication network interconnecting the nodes) targeted in this embodiment will be node i and node j. Further, as an example, a case will be described in which RSA encryption is used as public key encryption. The public key cryptographic device in this case is an RSA cryptographic device.

Note that the integer in this embodiment means a non-negative integer.

FIG. 1 is a block diagram showing the configuration of a communication device I used as a node i or a node j.

In the figure, 10 is an RSA encryption device, and 20 is a one-way function calculation device, which will be described later. Further, 30 is an RSA cryptographic parameter generation device. This R
The SA cryptographic parameter generation device 30 generates a prime number and generates a modulus value N1 public key PK1 and private key SK in accordance with the prime number and the above-mentioned R9A cryptographic algorithm.

Said component to, 20.30 is connected to a processing device 51 via a signal path 41. The processing device 51 executes various calculations and controls according to programs stored in the storage device 52. It also communicates with an external communication device via the line control device 53 and communication line 61. Note that there is a signal path 42 between the processing device 5I and the storage device 52,
The processing device 51 and the line control device 53 are connected through a signal path 43, respectively.

Next, the configuration of the RSA cryptographic device IO will be explained with reference to FIG.

(a) In the case of encryption, as shown in equation (5) above, for input data M, public Mv! 1PK (corresponding to e in equation (5)) is used as an exponent to calculate the remainder by the modulus value N, and output the calculation result C. In the case of (b) decoding, the above-mentioned (6 ), the data C is decrypted using the secret key 5K (corresponding to d in equation (6)), and data M is output.

In FIG. 2, a signal path 12 is a signal path for inputting incoming horn data M (or C) to the RSA cryptographic device 10, and inputs arbitrary integer data M (or C).

The signal path 13 is a signal path for inputting a key, and is a signal path for inputting an encryption key (
public key PK or private key SK). Signal path 14
is a signal path for human power with a modulus value N, and inputs the modulus value N. The signal path 15 is a signal path for outputting output data C (or M) that is a processing result of the R8A cryptographic device 10.

Next, referring to FIG. 3, the one-way function calculation device 2
0 will be explained. A one-way function is expressed as f(·). A one-way function is a function in which it is easy to calculate r(θ) from the parameter θ, but it is extremely difficult to calculate θ from f(θ) due to the large amount of calculation. It is. The unidirectional function calculation device can be realized by hardware or a combination of hardware and software.

A suitably selected conventional cipher (e.g., DBS cipher, PEA cipher)
When the key is K, the encryption of data θ using the key K is E (K ; θ) as described above.
(see equation (1)), the one-way function f(θ
) can be set as follows.

f (θ) - E (K : θ) eθ (8) Here, f (θ) is the public data for authentication, the encryption key θ is the secret data for authentication, and the symbol is the exclusive data. represents the logical disjunction. For example, XΦY
represents the exclusive OR of X and Y. In addition, public information is
These are the encryption algorithm of the encryption function, ¥ilK, and public authentication data f(θ).

FIG. 3 shows a one-way function calculation device 2 that executes the above calculation.
This is a configuration example of 0. The unidirectional function calculation device 20 includes a diversion device 21 that divides human data θ into two directions, and an encryption key K.
a conventional cryptographic device 22 that encrypts input data θ by
An exclusive OR calculation device 23 that calculates the exclusive OR of data E (θ, K) output from the conventional cryptographic device 22 and human data θ, and signal paths 24.25.26.27.28.2
It consists of 9.

An encryption key (here, an encryption key) K to the conventional encryption device 22 is inputted from the signal path 29 . Conventional cryptographic device 22
always performs encryption processing. Input data θ is input from the signal path 24. The human power data θ is outputted to the signal path 25 and the signal path 26 by the flow dividing device 21, and is output to the signal path 27.
Input data 0 is encrypted as data E (K,
θ) is output. The data on the signal path 26 and the signal path 27 are subjected to an exclusive OR operation by the exclusive OR operation device 23, and are outputted to the signal path 28 as authentication public data "(θ)."

The above is the configuration of the communication device 1. Note that the sending side node i is connected from the communication device 1 to the RSA cryptographic parameter generation device 3.
0 is excluded, and the receiving side node j is communication device 1.
It has the same configuration as . In addition, the one-way function calculation device 20
The logical specifications of, that is, all the elements for defining the relationship between input data and output data (cipher algorithm, internal structure, key value, etc.) are common to node i and node j. Yes, and may be made public at nodes i and j.

Next, the operation of this embodiment will be explained.

(1) Operation before starting procedure I The receiving side node j executes the following process before starting procedure I, which will be described later.

■The public key P is generated by the RSA cryptographic parameter generation device 30.
Kj and private key SKj are generated, public key PKj is made public, and private key SKj is kept secret.

■Publish the identifier NIDj of node j.

(2) The modulus value N used in the RSA cryptographic device IO is held in the storage device 52. The modulus value N is public information for each node, and once set, it can be commonly used for any number of secret information communication procedures.

(2) Authentication public data I' (Q iD for authenticating the validity of node i is obtained from node i and stored in the storage device 52.

On the other hand, the sending-side node i executes the following process.

(2) Obtain a public key PKj from node j and store it in the storage device 52.

(2) Obtain the value of the identifier NIDj of node j from node j and hold it in the storage device 52;

(2) The modulus value N used by the RSA cryptographic device 10 is held in the storage device 52.

■Set authentication secret data QiJ for node j.

(2) The value of the secret information S generated or acquired by node i is secretly stored in the storage device 52.

(2) Confidential information communication After the above preparations are completed, confidential information is communicated in step 1 below. Procedure 1 is an example of a secret information communication procedure for transmitting secret information S of node i to node j. A communication procedure is started by one node first, and the other nodes start the communication procedure by receiving a message (i.e., a unit of information communicated by a communication line) from the node that started the communication procedure first. do.

In procedure 1, one step describes an operation that is closed to one node, so the device numbers at each node are not distinguished. Perform each step in numerical order.

Note that in the following explanation, the symbol ■ represents concatenation (combining two values as they are).

(Procedure 1) Step 1: Node i uses the public key PKj for encryption of the RSA cryptographic device 10 of node j to access R9 of its own system.
By the A cryptographic device 10, A I =EXP(S@Qij, PKj) (mad
N)...(9) Calculate. In other words, secret information S and secret authentication data Q
The concatenated data with ij is encrypted to create ciphertext AI. Then, the message C including the ciphertext A1 is transferred to the node j
Send to.

Step 2: Upon receiving message C, node j sends R
By the SA cryptographic device 10, A2=EXP(AI,SKj)(mod N)-9@
Qij (10) is calculated to reproduce the secret information S and the authentication secret data Qij. , Furthermore, this authentication secret data Qij is manually input to the one-way function calculation device 20, and A 3 = r(Q ij) −
Calculate (11). Then, by confirming that this data A3 is equal to the authentication public data f (QiD) obtained from node i before the start of procedure l and owned by node j, the validity of the value of secret information S is verified. When the validity can be verified, the value of the secret information S is secretly stored in the storage device 52. Furthermore, the secret authentication data Qij obtained by equation (10) is deleted after the authentication.

Next, node j uses the RSA cryptographic device 10 to determine that A4=
EXP (NIDj@TIMEj, SKj) (mod
N) --(12) is calculated, and data A4
The message Ca containing the message Ca is sent to node i. Here, N.I.D.
j is the identifier of node j, and TIMEj is data that approximates the transmission time of message Ca.

Step 32 When node i receives message Ca, A5=EXP(A4.PKj) (mod N)=
Calculate NIDj■TIMEj (13). Next, node i checks the validity of the value of this time data TIMEj, taking into account the communication time from node j to node i, and uses the identifier N Dj that has already been obtained as public data of node i. Since the value of the identifier NIDj obtained from the data A5 is equal, it is confirmed that the value of the secret information S has been normally received by the node j.

(End of procedure l) According to this procedure 1, the calculation of the sending node i is (9)
As shown in equations and equations (I3), only the calculation of encryption using the public key PKj is sufficient. Therefore, if a value that reduces the amount of encryption calculation is used as the public key PKj, the calculation capacity of the sending node i can be reduced.

Note that the present invention is not limited to the above embodiments, and the following modifications may be considered.

■In the above example, the case where the public key encryption is RSA encryption is described, but it is also possible to use other public key encryption such as Rabin encryption.
It can be implemented similarly.

(2) In the above embodiment, the one-way function given by equation (8) was used, but the present invention is not limited to this. For example, a one-way function of the following form may be used.

f(θ)-EXP(θ, a> (mod G)・-
- (14) However, f(θ) is public data for authentication, θ is secret data for authentication, and θ and α are integers. Also, G is a large prime number (for example, a lO base number with 00 digits or more), and 0
≦θ<G. Note that α and G are public information.

■The conventional encryption device 22 of the above embodiment is a DES encryption, an FE encryption
Since it can be constructed independently of a conventional cryptographic algorithm such as the AL cryptosystem, any reasonably secure conventional cryptographic algorithm can be used in the conventional cryptographic device. Here, the degree of security required for the cryptographic algorithm of the conventional cryptography depends on the target communication system.

■In the secret information communication procedure, the secret information S in equation (9)
By concatenating additional information in addition to the authentication secret data Qij, arbitrary additional information can be transferred together with the secret information as necessary.

(2) The internal physical configuration of the communication device 1 is arbitrary, and it is also possible to integrate two or more individual devices inside the communication device 1.

(2) When a node secretly stores data in a storage device, the means for ensuring ``secrecy'' (for example, encryption) is arbitrary, as long as it prevents the information from leaking outside the node.

"Effects of the Invention" As explained above, according to the secret information communication system of the present invention, at the node on the receiving side of secret information, public authentication data calculated from secret authentication data by a one-way function calculation device is transmitted. , it is possible to confirm the validity of the secret information, that is, the validity of the node on the sending side of the secret information, and that the secret information has not been tampered with, depending on whether or not it matches the public authentication data obtained from the public information.

In addition, when using R9A encryption as a public key encryption, R9
Only one communication device needs to generate parameters for the A cipher and hold the private key for the R9A cipher, and the other communication device only needs to perform encryption using the public key. By using a value that reduces the amount of calculation, for example, a small value (a decimal number of 3 or more), it is possible to avoid a significant reduction in the amount of calculation for the other communication device. Therefore, as in the case of secret communication between a center and a terminal, it is difficult to communicate confidential information in a communication system where one communication device (center) has a large processing capacity and the other communication device (terminal) has a small processing capacity. It is effective in terms of performance for applications.

The same applies when public key cryptography other than RSA cryptography (for example, Rabin cryptography) is used.

[Brief explanation of the drawing]

FIG. 1 is a block diagram showing an example of the configuration of a communication device (node) according to an embodiment of the present invention, FIG. 2 is a block diagram showing an example of the configuration of the R9A cryptographic device of the same embodiment, and FIG. FIG. 2 is a block diagram showing a configuration example of a unidirectional function calculation device according to the same embodiment. ■...Communication device, 10...R9A encryption device, ■2-15.24-29.41-43...Signal path, 20...1 Directional function calculation device, 21...
...Diversion device, 22... Conventional encryption device, 23... Exclusive OR operation device, 30...
...RSA cryptographic parameter generation device, 51...
Processing device, 52...Storage device, 53...Line control device, 61...Communication line. θ, Qij...Secret data for authentication, f(θ),
f(QiD...Public data for authentication.

Claims (2)

[Claims] (1) In a secret information communication method for communicating secret information between first and second communication devices each having a public key cryptographic device and a one-way function calculation device, the following [1
] to [4]. [1] In the first communication device, the second communication device generates authentication secret data for authenticating the validity of the first communication device, and from this authentication secret data, the one-way function calculation device The first step is to calculate and publish public data for authentication using
[2] A second step in which the second communication device retains the authentication public data sent from the first communication device; [3] The first communication device stores the secret information and the authentication data. The private data is encrypted using a public key cryptographic device, and the ciphertext is sent to the second
[4] The second communication device decrypts the received ciphertext using the public key cryptographic device to obtain secret information and authentication secret data; The output data obtained by inputting the data into the one-way function calculation device is compared with the public data for authentication of the first communication device that is already held, and if they match, the data transmitted from the first communication device is compared. The fourth step is to authenticate that the information is confidential and obtain the confidential information. (2) The secret information communication system according to claim 1, characterized in that RSA encryption is used as the public key encryption.